On Mon, 22 Aug 2005, Harald Tveit Alvestrand wrote:
- A SMTP client would probably only want to authenticate an SMTP
server whose server certificate has a domain name that is the
domain name that the client thought it was connecting to.
Now... I have a server that is an MX host for half-a-dozen domains, and
has about 3 A records pointing to it (why is a long history). How does
my server know which certificate to present to the client, so that the
above general rule is satisfied? (For the MX case, the answer might be
"content of the MX record" rather than "domain that contains the MX
record" - doesn't help for the A case, and is not obvious from the text)
There's a general problem with the SMTP RFCs that they don't make a clear
distinction between domain names in general, and domain names that are
host names (which resolve to A and/or AAAA records), and domain names that
are mail domains (which resolve to MX records). TLS is usually used with
host names (e.g. when connecting to web servers or when using SMTP in
message submission mode) so the server should probably have one or three
certificates, depending on whether the hostname(s) used as the target of
the MX records refer to all IP addresses or just one. As in the web
virtual hosting case you need at least one IP address per TLS cert so
that the server can decide which one to present.
I don't use TLS for inter-domain SMTP - there seems little point :-)
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.